We're running an ELK cluster on AWS. We also run a single box with all of ELK on it to verify changes locally before pushing to the cloud.

We're running into an issue where the local box can run the GeoIP2-City.mmdb database and pull all of the information out correctly. When we try to do the same thing on AWS we're getting errors. Specifically, here's what we're seeing:

We have the exact same db, OS version, ELK versions, and logstash.conf (except where output points) file running on the two ELK platforms - local and cloud. We also stood up another ELK box on AWS to see if having all of ELK on one box somehow prevented the issue, but alas it's also having the same problem with Logstash as the other AWS device.

The records that failed have a "_grokparsefailure" tag set, which indicates that the grok parsing failed and that the client_ip field, which the geoip filter relies on, therefore will was be extracted. Are you feeding different data in the two systems?

Yes, that's the proprietary version of the db. What's interesting is that it works just fine on a local machine, but won't work on AWS. Is there some difference with running logstash on the cloud that would cause that to be an issue?